cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/2] Account_Type Refactoring for Root Admin Role
Date Tue, 24 Sep 2013 23:54:51 GMT
Updated Branches:
  refs/heads/rbac ddae23c16 -> aba54356d


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 9a03590..e78620e 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -344,16 +344,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
     }
 
     @Override
-    public boolean isRootAdmin(short accountType) {
-        return (accountType == Account.ACCOUNT_TYPE_ADMIN);
+    public boolean isRootAdmin(long accountId) {
+        // refer to account_group_map and check if account is in Root 'Admin'
+        // group
+        return false;
     }
 
     public boolean isResourceDomainAdmin(short accountType) {
         return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
     }
 
-    public boolean isInternalAccount(short accountType) {
-        if (isRootAdmin(accountType) || (accountType == Account.ACCOUNT_ID_SYSTEM)) {
+    public boolean isInternalAccount(long accountId) {
+        Account account = _accountDao.findById(accountId);
+        if (isRootAdmin(accountId) || (account.getType() == Account.ACCOUNT_ID_SYSTEM)) {
             return true;
         }
         return false;
@@ -377,7 +380,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
     @Override
     public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity...
entities) {
 
-        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType()))
{
+        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
             // no need to make permission checks if the system/root admin makes the call
             if (s_logger.isTraceEnabled()) {
                 s_logger.trace("No need to make permission check for System/RootAdmin account,
returning true");
@@ -1973,7 +1976,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 // return null;
             }
             // Whenever the user is able to log in successfully, reset the login attempts
to zero
-            if(!isInternalAccount(userAccount.getType()))
+            if (!isInternalAccount(userAccount.getId()))
                 updateLoginAttempts(userAccount.getId(), 0, false);
 
             return userAccount;
@@ -2230,7 +2233,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 } else if (!listAll) {
                     if (id == null) {
                         permittedAccounts.add(caller.getId());
-                    } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+                    } else if (!isRootAdmin(caller.getId())) {
                         domainIdRecursiveListProject.first(caller.getDomainId());
                         domainIdRecursiveListProject.second(true);
                     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/com/cloud/user/DomainManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/DomainManagerImpl.java b/server/src/com/cloud/user/DomainManagerImpl.java
index b885c48..58e8017 100644
--- a/server/src/com/cloud/user/DomainManagerImpl.java
+++ b/server/src/com/cloud/user/DomainManagerImpl.java
@@ -431,7 +431,7 @@ public class DomainManagerImpl extends ManagerBase implements DomainManager,
Dom
             }
             _accountMgr.checkAccess(caller, domain);
         } else {
-            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+            if (!_accountMgr.isRootAdmin(caller.getId())) {
             domainId = caller.getDomainId();
             }
             if (listAll) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index ea9c540..84c8919 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -1800,7 +1800,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
         if (isDisplayVmEnabled == null) {
             isDisplayVmEnabled = vmInstance.isDisplayVm();
         } else{
-            if(!_accountMgr.isRootAdmin(caller.getType())){
+            if(!_accountMgr.isRootAdmin(caller.getId())){
                 throw new PermissionDeniedException( "Cannot update parameter displayvm,
only admin permitted ");
             }
         }
@@ -2471,7 +2471,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
         assert !(requestedIps != null && (defaultIps.getIp4Address() != null || defaultIps.getIp6Address()
!= null)) : "requestedIp list and defaultNetworkIp should never be specified together";
 
         if (Grouping.AllocationState.Disabled == zone.getAllocationState()
-                && !_accountMgr.isRootAdmin(caller.getType())) {
+                && !_accountMgr.isRootAdmin(caller.getId())) {
             throw new PermissionDeniedException(
                     "Cannot perform this operation, Zone is currently disabled: "
                             + zone.getId());
@@ -2540,7 +2540,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
                         // Root admin has access to both VM and AG by default,
                         // but
                         // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))
{
+                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))
{
                             if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(),
owner.getDomainId())) {
                                 throw new PermissionDeniedException("Affinity Group " + ag
                                         + " does not belong to the VM's domain");
@@ -2551,7 +2551,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
                         // Root admin has access to both VM and AG by default,
                         // but
                         // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))
{
+                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))
{
                             if (ag.getAccountId() != owner.getAccountId()) {
                                 throw new PermissionDeniedException("Affinity Group " + ag
                                         + " does not belong to the VM's account");
@@ -2776,7 +2776,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
         }
 
         if(isDisplayVmEnabled != null){
-            if(!_accountMgr.isRootAdmin(caller.getType())){
+            if(!_accountMgr.isRootAdmin(caller.getId())){
                 throw new PermissionDeniedException( "Cannot update parameter displayvm,
only admin permitted ");
             }
             vm.setDisplayVm(isDisplayVmEnabled);
@@ -3264,7 +3264,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
         Host destinationHost = null;
         if (hostId != null) {
             Account account = CallContext.current().getCallingAccount();
-            if (!_accountService.isRootAdmin(account.getType())) {
+            if (!_accountService.isRootAdmin(account.getId())) {
                 throw new PermissionDeniedException(
                         "Parameter hostid can only be specified by a Root Admin, permission
denied");
             }
@@ -3759,7 +3759,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
     public VirtualMachine vmStorageMigration(Long vmId, StoragePool destPool) {
         // access check - only root admin can migrate VM
         Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Caller is not a root admin, permission denied to migrate
the VM");
             }
@@ -3832,7 +3832,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
             ManagementServerException, VirtualMachineMigrationException {
         // access check - only root admin can migrate VM
         Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Caller is not a root admin, permission denied to migrate
the VM");
             }
@@ -4162,7 +4162,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
             ManagementServerException, VirtualMachineMigrationException {
         // Access check - only root administrator can migrate VM.
         Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Caller is not a root admin, permission denied to migrate
the VM");
             }
@@ -4289,7 +4289,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
 
         // VV 1: verify the two users
         Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN
+        if (!_accountMgr.isRootAdmin(caller.getId())
                 && caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only
             // root
             // admin

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
index 8f2caad..9343b22 100644
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@@ -161,7 +161,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
 
         AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType);
 
-        if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getType()))
{
+        if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId()))
{
             throw new PermissionDeniedException("Cannot create the affinity group");
         }
 
@@ -176,7 +176,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
 
         } else if (domainId != null && account == null) {
 
-            if (!_accountMgr.isRootAdmin(caller.getType())) {
+            if (!_accountMgr.isRootAdmin(caller.getId())) {
                 // non root admin need to pass both account and domain
                 throw new InvalidParameterValueException(
                         "Unable to create affinity group, account name must be passed with
the domainId");
@@ -484,7 +484,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
                 _accountMgr.checkAccess(caller, null, true, owner, ag);
                 // Root admin has access to both VM and AG by default, but make sure the
                 // owner of these entities is same
-                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))
{
+                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))
{
                     if (ag.getAccountId() != owner.getAccountId()) {
                         throw new PermissionDeniedException("Affinity Group " + ag
                                 + " does not belong to the VM's account");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index 38cc1a84..7a8e1ee 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -163,7 +163,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager,
Acco
     }
 
     @Override
-    public boolean isRootAdmin(short accountType) {
+    public boolean isRootAdmin(long accountId) {
         // TODO Auto-generated method stub
         return false;
     }


Mime
View raw message